1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "aes_operation.h"
18
19 #include <stdio.h>
20
21 #include <new>
22
23 #include <UniquePtr.h>
24
25 #include <openssl/aes.h>
26 #include <openssl/err.h>
27 #include <openssl/rand.h>
28
29 #include <keymaster/logger.h>
30
31 #include "aes_key.h"
32 #include "openssl_err.h"
33
34 namespace keymaster {
35
36 static const size_t GCM_NONCE_SIZE = 12;
37
allows_padding(keymaster_block_mode_t block_mode)38 inline bool allows_padding(keymaster_block_mode_t block_mode) {
39 switch (block_mode) {
40 case KM_MODE_CTR:
41 case KM_MODE_GCM:
42 return false;
43 case KM_MODE_ECB:
44 case KM_MODE_CBC:
45 return true;
46 }
47 assert(false /* Can't get here */);
48 return false;
49 }
50
GetAndValidateGcmTagLength(const AuthorizationSet & begin_params,const AuthorizationSet & key_params,size_t * tag_length)51 static keymaster_error_t GetAndValidateGcmTagLength(const AuthorizationSet& begin_params,
52 const AuthorizationSet& key_params,
53 size_t* tag_length) {
54 uint32_t tag_length_bits;
55 if (!begin_params.GetTagValue(TAG_MAC_LENGTH, &tag_length_bits)) {
56 return KM_ERROR_MISSING_MAC_LENGTH;
57 }
58
59 uint32_t min_tag_length_bits;
60 if (!key_params.GetTagValue(TAG_MIN_MAC_LENGTH, &min_tag_length_bits)) {
61 LOG_E("AES GCM key must have KM_TAG_MIN_MAC_LENGTH", 0);
62 return KM_ERROR_INVALID_KEY_BLOB;
63 }
64
65 if (tag_length_bits % 8 != 0 || tag_length_bits > kMaxGcmTagLength ||
66 tag_length_bits < kMinGcmTagLength) {
67 return KM_ERROR_UNSUPPORTED_MAC_LENGTH;
68 }
69
70 if (tag_length_bits < min_tag_length_bits) {
71 return KM_ERROR_INVALID_MAC_LENGTH;
72 }
73
74 *tag_length = tag_length_bits / 8;
75 return KM_ERROR_OK;
76 }
77
CreateOperation(const Key & key,const AuthorizationSet & begin_params,keymaster_error_t * error)78 Operation* AesOperationFactory::CreateOperation(const Key& key,
79 const AuthorizationSet& begin_params,
80 keymaster_error_t* error) {
81 *error = KM_ERROR_OK;
82 const SymmetricKey* symmetric_key = static_cast<const SymmetricKey*>(&key);
83
84 switch (symmetric_key->key_data_size()) {
85 case 16:
86 case 24:
87 case 32:
88 break;
89 default:
90 *error = KM_ERROR_UNSUPPORTED_KEY_SIZE;
91 return nullptr;
92 }
93
94 keymaster_block_mode_t block_mode;
95 if (!begin_params.GetTagValue(TAG_BLOCK_MODE, &block_mode)) {
96 LOG_E("%d block modes specified in begin params", begin_params.GetTagCount(TAG_BLOCK_MODE));
97 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
98 return nullptr;
99 } else if (!supported(block_mode)) {
100 LOG_E("Block mode %d not supported", block_mode);
101 *error = KM_ERROR_UNSUPPORTED_BLOCK_MODE;
102 return nullptr;
103 } else if (!key.authorizations().Contains(TAG_BLOCK_MODE, block_mode)) {
104 LOG_E("Block mode %d was specified, but not authorized by key", block_mode);
105 *error = KM_ERROR_INCOMPATIBLE_BLOCK_MODE;
106 return nullptr;
107 }
108
109 size_t tag_length = 0;
110 if (block_mode == KM_MODE_GCM) {
111 *error = GetAndValidateGcmTagLength(begin_params, key.authorizations(), &tag_length);
112 if (*error != KM_ERROR_OK) {
113 return nullptr;
114 }
115 }
116
117 keymaster_padding_t padding;
118 if (!GetAndValidatePadding(begin_params, key, &padding, error)) {
119 return nullptr;
120 }
121 if (!allows_padding(block_mode) && padding != KM_PAD_NONE) {
122 LOG_E("Mode does not support padding", 0);
123 *error = KM_ERROR_INCOMPATIBLE_PADDING_MODE;
124 return nullptr;
125 }
126
127 bool caller_nonce = key.authorizations().GetTagValue(TAG_CALLER_NONCE);
128
129 Operation* op = nullptr;
130 switch (purpose()) {
131 case KM_PURPOSE_ENCRYPT:
132 op = new (std::nothrow)
133 AesEvpEncryptOperation(block_mode, padding, caller_nonce, tag_length,
134 symmetric_key->key_data(), symmetric_key->key_data_size());
135 break;
136 case KM_PURPOSE_DECRYPT:
137 op = new (std::nothrow)
138 AesEvpDecryptOperation(block_mode, padding, tag_length, symmetric_key->key_data(),
139 symmetric_key->key_data_size());
140 break;
141 default:
142 *error = KM_ERROR_UNSUPPORTED_PURPOSE;
143 return nullptr;
144 }
145
146 if (!op)
147 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
148 return op;
149 }
150
151 static const keymaster_block_mode_t supported_block_modes[] = {KM_MODE_ECB, KM_MODE_CBC,
152 KM_MODE_CTR, KM_MODE_GCM};
153
154 const keymaster_block_mode_t*
SupportedBlockModes(size_t * block_mode_count) const155 AesOperationFactory::SupportedBlockModes(size_t* block_mode_count) const {
156 *block_mode_count = array_length(supported_block_modes);
157 return supported_block_modes;
158 }
159
160 static const keymaster_padding_t supported_padding_modes[] = {KM_PAD_NONE, KM_PAD_PKCS7};
161 const keymaster_padding_t*
SupportedPaddingModes(size_t * padding_mode_count) const162 AesOperationFactory::SupportedPaddingModes(size_t* padding_mode_count) const {
163 *padding_mode_count = array_length(supported_padding_modes);
164 return supported_padding_modes;
165 }
166
AesEvpOperation(keymaster_purpose_t purpose,keymaster_block_mode_t block_mode,keymaster_padding_t padding,bool caller_iv,size_t tag_length,const uint8_t * key,size_t key_size)167 AesEvpOperation::AesEvpOperation(keymaster_purpose_t purpose, keymaster_block_mode_t block_mode,
168 keymaster_padding_t padding, bool caller_iv, size_t tag_length,
169 const uint8_t* key, size_t key_size)
170 : Operation(purpose), block_mode_(block_mode), caller_iv_(caller_iv), tag_length_(tag_length),
171 data_started_(false), key_size_(key_size), padding_(padding) {
172 memcpy(key_, key, key_size_);
173 EVP_CIPHER_CTX_init(&ctx_);
174 }
175
~AesEvpOperation()176 AesEvpOperation::~AesEvpOperation() {
177 EVP_CIPHER_CTX_cleanup(&ctx_);
178 memset_s(aad_block_buf_.get(), AES_BLOCK_SIZE, 0);
179 }
180
Begin(const AuthorizationSet &,AuthorizationSet *)181 keymaster_error_t AesEvpOperation::Begin(const AuthorizationSet& /* input_params */,
182 AuthorizationSet* /* output_params */) {
183 if (block_mode_ == KM_MODE_GCM) {
184 aad_block_buf_length_ = 0;
185 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
186 if (!aad_block_buf_.get())
187 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
188 }
189
190 return InitializeCipher();
191 }
192
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet *,Buffer * output,size_t * input_consumed)193 keymaster_error_t AesEvpOperation::Update(const AuthorizationSet& additional_params,
194 const Buffer& input,
195 AuthorizationSet* /* output_params */, Buffer* output,
196 size_t* input_consumed) {
197 keymaster_error_t error;
198 if (block_mode_ == KM_MODE_GCM)
199 if (!HandleAad(additional_params, input, &error))
200 return error;
201
202 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
203 return error;
204 *input_consumed = input.available_read();
205
206 return KM_ERROR_OK;
207 }
208
is_bad_decrypt(unsigned long error)209 inline bool is_bad_decrypt(unsigned long error) {
210 return (ERR_GET_LIB(error) == ERR_LIB_CIPHER && //
211 ERR_GET_REASON(error) == CIPHER_R_BAD_DECRYPT);
212 }
213
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer &,AuthorizationSet * output_params,Buffer * output)214 keymaster_error_t AesEvpOperation::Finish(const AuthorizationSet& additional_params,
215 const Buffer& input, const Buffer& /* signature */,
216 AuthorizationSet* output_params, Buffer* output) {
217 keymaster_error_t error;
218 if (!UpdateForFinish(additional_params, input, output_params, output, &error))
219 return error;
220
221 if (!output->reserve(AES_BLOCK_SIZE))
222 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
223
224 if (block_mode_ == KM_MODE_GCM && aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(&error))
225 return error;
226
227 int output_written = -1;
228 if (!EVP_CipherFinal_ex(&ctx_, output->peek_write(), &output_written)) {
229 if (tag_length_ > 0)
230 return KM_ERROR_VERIFICATION_FAILED;
231 LOG_E("Error encrypting final block: %s", ERR_error_string(ERR_peek_last_error(), NULL));
232 return TranslateLastOpenSslError();
233 }
234
235 assert(output_written <= AES_BLOCK_SIZE);
236 if (!output->advance_write(output_written))
237 return KM_ERROR_UNKNOWN_ERROR;
238 return KM_ERROR_OK;
239 }
240
need_iv() const241 bool AesEvpOperation::need_iv() const {
242 switch (block_mode_) {
243 case KM_MODE_CBC:
244 case KM_MODE_CTR:
245 case KM_MODE_GCM:
246 return true;
247 case KM_MODE_ECB:
248 return false;
249 default:
250 // Shouldn't get here.
251 assert(false);
252 return false;
253 }
254 }
255
InitializeCipher()256 keymaster_error_t AesEvpOperation::InitializeCipher() {
257 const EVP_CIPHER* cipher;
258 switch (block_mode_) {
259 case KM_MODE_ECB:
260 switch (key_size_) {
261 case 16:
262 cipher = EVP_aes_128_ecb();
263 break;
264 case 24:
265 cipher = EVP_aes_192_ecb();
266 break;
267 case 32:
268 cipher = EVP_aes_256_ecb();
269 break;
270 default:
271 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
272 }
273 break;
274 case KM_MODE_CBC:
275 switch (key_size_) {
276 case 16:
277 cipher = EVP_aes_128_cbc();
278 break;
279 case 24:
280 cipher = EVP_aes_192_cbc();
281 break;
282 case 32:
283 cipher = EVP_aes_256_cbc();
284 break;
285 default:
286 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
287 }
288 break;
289 case KM_MODE_CTR:
290 switch (key_size_) {
291 case 16:
292 cipher = EVP_aes_128_ctr();
293 break;
294 case 24:
295 cipher = EVP_aes_192_ctr();
296 break;
297 case 32:
298 cipher = EVP_aes_256_ctr();
299 break;
300 default:
301 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
302 }
303 break;
304 case KM_MODE_GCM:
305 switch (key_size_) {
306 case 16:
307 cipher = EVP_aes_128_gcm();
308 break;
309 case 24:
310 cipher = EVP_aes_192_gcm();
311 break;
312 case 32:
313 cipher = EVP_aes_256_gcm();
314 break;
315 default:
316 return KM_ERROR_UNSUPPORTED_KEY_SIZE;
317 }
318 break;
319 default:
320 return KM_ERROR_UNSUPPORTED_BLOCK_MODE;
321 }
322
323 if (!EVP_CipherInit_ex(&ctx_, cipher, NULL /* engine */, key_, iv_.get(), evp_encrypt_mode()))
324 return TranslateLastOpenSslError();
325
326 switch (padding_) {
327 case KM_PAD_NONE:
328 EVP_CIPHER_CTX_set_padding(&ctx_, 0 /* disable padding */);
329 break;
330 case KM_PAD_PKCS7:
331 // This is the default for OpenSSL EVP cipher operations.
332 break;
333 default:
334 return KM_ERROR_UNSUPPORTED_PADDING_MODE;
335 }
336
337 if (block_mode_ == KM_MODE_GCM) {
338 aad_block_buf_length_ = 0;
339 aad_block_buf_.reset(new (std::nothrow) uint8_t[AES_BLOCK_SIZE]);
340 if (!aad_block_buf_.get())
341 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
342 }
343
344 return KM_ERROR_OK;
345 }
346
GetIv(const AuthorizationSet & input_params)347 keymaster_error_t AesEvpOperation::GetIv(const AuthorizationSet& input_params) {
348 keymaster_blob_t iv_blob;
349 if (!input_params.GetTagValue(TAG_NONCE, &iv_blob)) {
350 LOG_E("No IV provided", 0);
351 return KM_ERROR_INVALID_ARGUMENT;
352 }
353 if (block_mode_ != KM_MODE_GCM && iv_blob.data_length != AES_BLOCK_SIZE) {
354 LOG_E("Expected %d-byte IV for AES operation, but got %d bytes", AES_BLOCK_SIZE,
355 iv_blob.data_length);
356 return KM_ERROR_INVALID_NONCE;
357 }
358 if (block_mode_ == KM_MODE_GCM && iv_blob.data_length != GCM_NONCE_SIZE) {
359 LOG_E("Expected %d-byte nonce for AES-GCM operation, but got %d bytes", GCM_NONCE_SIZE,
360 iv_blob.data_length);
361 return KM_ERROR_INVALID_NONCE;
362 }
363 iv_.reset(dup_array(iv_blob.data, iv_blob.data_length));
364 if (!iv_.get())
365 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
366 iv_length_ = iv_blob.data_length;
367 return KM_ERROR_OK;
368 }
369
370 /*
371 * Process Incoming Associated Authentication Data.
372 *
373 * This method is more complex than might be expected, because the underlying library silently does
374 * the wrong thing when given partial AAD blocks, so we have to take care to process AAD in
375 * AES_BLOCK_SIZE increments, buffering (in aad_block_buf_) when given smaller amounts of data.
376 */
HandleAad(const AuthorizationSet & input_params,const Buffer & input,keymaster_error_t * error)377 bool AesEvpOperation::HandleAad(const AuthorizationSet& input_params, const Buffer& input,
378 keymaster_error_t* error) {
379 assert(tag_length_ > 0);
380 assert(error);
381
382 keymaster_blob_t aad;
383 if (input_params.GetTagValue(TAG_ASSOCIATED_DATA, &aad)) {
384 if (data_started_) {
385 *error = KM_ERROR_INVALID_TAG;
386 return false;
387 }
388
389 if (aad_block_buf_length_ > 0) {
390 FillBufferedAadBlock(&aad);
391 if (aad_block_buf_length_ == AES_BLOCK_SIZE && !ProcessBufferedAadBlock(error))
392 return false;
393 }
394
395 size_t blocks_to_process = aad.data_length / AES_BLOCK_SIZE;
396 if (blocks_to_process && !ProcessAadBlocks(aad.data, blocks_to_process, error))
397 return false;
398 aad.data += blocks_to_process * AES_BLOCK_SIZE;
399 aad.data_length -= blocks_to_process * AES_BLOCK_SIZE;
400
401 FillBufferedAadBlock(&aad);
402 assert(aad.data_length == 0);
403 }
404
405 if (input.available_read()) {
406 data_started_ = true;
407 // Data has begun, no more AAD is allowed. Process any buffered AAD.
408 if (aad_block_buf_length_ > 0 && !ProcessBufferedAadBlock(error))
409 return false;
410 }
411
412 return true;
413 }
414
ProcessBufferedAadBlock(keymaster_error_t * error)415 bool AesEvpOperation::ProcessBufferedAadBlock(keymaster_error_t* error) {
416 int output_written;
417 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, aad_block_buf_.get(),
418 aad_block_buf_length_)) {
419 aad_block_buf_length_ = 0;
420 return true;
421 }
422 *error = TranslateLastOpenSslError();
423 return false;
424 }
425
ProcessAadBlocks(const uint8_t * data,size_t blocks,keymaster_error_t * error)426 bool AesEvpOperation::ProcessAadBlocks(const uint8_t* data, size_t blocks,
427 keymaster_error_t* error) {
428 int output_written;
429 if (EVP_CipherUpdate(&ctx_, nullptr /* out */, &output_written, data, blocks * AES_BLOCK_SIZE))
430 return true;
431 *error = TranslateLastOpenSslError();
432 return false;
433 }
434
min(size_t a,size_t b)435 inline size_t min(size_t a, size_t b) {
436 return (a < b) ? a : b;
437 }
438
FillBufferedAadBlock(keymaster_blob_t * aad)439 void AesEvpOperation::FillBufferedAadBlock(keymaster_blob_t* aad) {
440 size_t to_buffer = min(AES_BLOCK_SIZE - aad_block_buf_length_, aad->data_length);
441 memcpy(aad_block_buf_.get() + aad_block_buf_length_, aad->data, to_buffer);
442 aad->data += to_buffer;
443 aad->data_length -= to_buffer;
444 aad_block_buf_length_ += to_buffer;
445 }
446
InternalUpdate(const uint8_t * input,size_t input_length,Buffer * output,keymaster_error_t * error)447 bool AesEvpOperation::InternalUpdate(const uint8_t* input, size_t input_length, Buffer* output,
448 keymaster_error_t* error) {
449 assert(output);
450 assert(error);
451
452 if (!input_length)
453 return true;
454
455 if (!output->reserve(input_length + AES_BLOCK_SIZE)) {
456 *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
457 return false;
458 }
459
460 int output_written = -1;
461 if (!EVP_CipherUpdate(&ctx_, output->peek_write(), &output_written, input, input_length)) {
462 *error = TranslateLastOpenSslError();
463 return false;
464 }
465 return output->advance_write(output_written);
466 }
467
UpdateForFinish(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet * output_params,Buffer * output,keymaster_error_t * error)468 bool AesEvpOperation::UpdateForFinish(const AuthorizationSet& additional_params,
469 const Buffer& input, AuthorizationSet* output_params,
470 Buffer* output, keymaster_error_t* error) {
471 if (input.available_read() || !additional_params.empty()) {
472 size_t input_consumed;
473 *error = Update(additional_params, input, output_params, output, &input_consumed);
474 if (*error != KM_ERROR_OK)
475 return false;
476 if (input_consumed != input.available_read()) {
477 *error = KM_ERROR_INVALID_INPUT_LENGTH;
478 return false;
479 }
480 }
481
482 return true;
483 }
484
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)485 keymaster_error_t AesEvpEncryptOperation::Begin(const AuthorizationSet& input_params,
486 AuthorizationSet* output_params) {
487 if (!output_params)
488 return KM_ERROR_OUTPUT_PARAMETER_NULL;
489
490 if (need_iv()) {
491 keymaster_error_t error = KM_ERROR_OK;
492 if (input_params.find(TAG_NONCE) == -1)
493 error = GenerateIv();
494 else if (caller_iv_)
495 error = GetIv(input_params);
496 else
497 error = KM_ERROR_CALLER_NONCE_PROHIBITED;
498
499 if (error == KM_ERROR_OK)
500 output_params->push_back(TAG_NONCE, iv_.get(), iv_length_);
501 else
502 return error;
503 }
504
505 return AesEvpOperation::Begin(input_params, output_params);
506 }
507
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer & signature,AuthorizationSet * output_params,Buffer * output)508 keymaster_error_t AesEvpEncryptOperation::Finish(const AuthorizationSet& additional_params,
509 const Buffer& input, const Buffer& signature,
510 AuthorizationSet* output_params, Buffer* output) {
511 if (!output->reserve(input.available_read() + AES_BLOCK_SIZE + tag_length_))
512 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
513
514 keymaster_error_t error =
515 AesEvpOperation::Finish(additional_params, input, signature, output_params, output);
516 if (error != KM_ERROR_OK)
517 return error;
518
519 if (tag_length_ > 0) {
520 if (!output->reserve(tag_length_))
521 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
522
523 if (!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, tag_length_, output->peek_write()))
524 return TranslateLastOpenSslError();
525 if (!output->advance_write(tag_length_))
526 return KM_ERROR_UNKNOWN_ERROR;
527 }
528
529 return KM_ERROR_OK;
530 }
531
GenerateIv()532 keymaster_error_t AesEvpEncryptOperation::GenerateIv() {
533 iv_length_ = (block_mode_ == KM_MODE_GCM) ? GCM_NONCE_SIZE : AES_BLOCK_SIZE;
534 iv_.reset(new (std::nothrow) uint8_t[iv_length_]);
535 if (!iv_.get())
536 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
537 if (RAND_bytes(iv_.get(), iv_length_) != 1)
538 return TranslateLastOpenSslError();
539 return KM_ERROR_OK;
540 }
541
Begin(const AuthorizationSet & input_params,AuthorizationSet * output_params)542 keymaster_error_t AesEvpDecryptOperation::Begin(const AuthorizationSet& input_params,
543 AuthorizationSet* output_params) {
544 if (need_iv()) {
545 keymaster_error_t error = GetIv(input_params);
546 if (error != KM_ERROR_OK)
547 return error;
548 }
549
550 if (tag_length_ > 0) {
551 tag_buf_length_ = 0;
552 tag_buf_.reset(new (std::nothrow) uint8_t[tag_length_]);
553 if (!tag_buf_.get())
554 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
555 }
556
557 return AesEvpOperation::Begin(input_params, output_params);
558 }
559
Update(const AuthorizationSet & additional_params,const Buffer & input,AuthorizationSet *,Buffer * output,size_t * input_consumed)560 keymaster_error_t AesEvpDecryptOperation::Update(const AuthorizationSet& additional_params,
561 const Buffer& input,
562 AuthorizationSet* /* output_params */,
563 Buffer* output, size_t* input_consumed) {
564 if (!output || !input_consumed)
565 return KM_ERROR_OUTPUT_PARAMETER_NULL;
566
567 // Barring error, we'll consume it all.
568 *input_consumed = input.available_read();
569
570 keymaster_error_t error;
571 if (block_mode_ == KM_MODE_GCM) {
572 if (!HandleAad(additional_params, input, &error))
573 return error;
574 return ProcessAllButTagLengthBytes(input, output);
575 }
576
577 if (!InternalUpdate(input.peek_read(), input.available_read(), output, &error))
578 return error;
579 return KM_ERROR_OK;
580 }
581
ProcessAllButTagLengthBytes(const Buffer & input,Buffer * output)582 keymaster_error_t AesEvpDecryptOperation::ProcessAllButTagLengthBytes(const Buffer& input,
583 Buffer* output) {
584 if (input.available_read() <= tag_buf_unused()) {
585 BufferCandidateTagData(input.peek_read(), input.available_read());
586 return KM_ERROR_OK;
587 }
588
589 const size_t data_available = tag_buf_length_ + input.available_read();
590
591 const size_t to_process = data_available - tag_length_;
592 const size_t to_process_from_tag_buf = min(to_process, tag_buf_length_);
593 const size_t to_process_from_input = to_process - to_process_from_tag_buf;
594
595 if (!output->reserve(to_process + AES_BLOCK_SIZE))
596 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
597
598 keymaster_error_t error;
599 if (!ProcessTagBufContentsAsData(to_process_from_tag_buf, output, &error))
600 return error;
601
602 if (!InternalUpdate(input.peek_read(), to_process_from_input, output, &error))
603 return error;
604
605 BufferCandidateTagData(input.peek_read() + to_process_from_input,
606 input.available_read() - to_process_from_input);
607 assert(tag_buf_unused() == 0);
608
609 return KM_ERROR_OK;
610 }
611
ProcessTagBufContentsAsData(size_t to_process,Buffer * output,keymaster_error_t * error)612 bool AesEvpDecryptOperation::ProcessTagBufContentsAsData(size_t to_process, Buffer* output,
613 keymaster_error_t* error) {
614 assert(to_process <= tag_buf_length_);
615 if (!InternalUpdate(tag_buf_.get(), to_process, output, error))
616 return false;
617 if (to_process < tag_buf_length_)
618 memmove(tag_buf_.get(), tag_buf_.get() + to_process, tag_buf_length_ - to_process);
619 tag_buf_length_ -= to_process;
620 return true;
621 }
622
BufferCandidateTagData(const uint8_t * data,size_t data_length)623 void AesEvpDecryptOperation::BufferCandidateTagData(const uint8_t* data, size_t data_length) {
624 assert(data_length <= tag_length_ - tag_buf_length_);
625 memcpy(tag_buf_.get() + tag_buf_length_, data, data_length);
626 tag_buf_length_ += data_length;
627 }
628
Finish(const AuthorizationSet & additional_params,const Buffer & input,const Buffer & signature,AuthorizationSet * output_params,Buffer * output)629 keymaster_error_t AesEvpDecryptOperation::Finish(const AuthorizationSet& additional_params,
630 const Buffer& input, const Buffer& signature,
631 AuthorizationSet* output_params, Buffer* output) {
632 keymaster_error_t error;
633 if (!UpdateForFinish(additional_params, input, output_params, output, &error))
634 return error;
635
636 if (tag_buf_length_ < tag_length_)
637 return KM_ERROR_INVALID_INPUT_LENGTH;
638 else if (tag_length_ > 0 &&
639 !EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_TAG, tag_length_, tag_buf_.get()))
640 return TranslateLastOpenSslError();
641
642 AuthorizationSet empty_params;
643 Buffer empty_input;
644 return AesEvpOperation::Finish(empty_params, empty_input, signature, output_params, output);
645 }
646
Abort()647 keymaster_error_t AesEvpOperation::Abort() {
648 return KM_ERROR_OK;
649 }
650
651 } // namespace keymaster
652